ZH2003-3SP (security patch): multiple vulnerabilities in mod_gzip 1.3.x debug mode

From: Astharot (secfoc_at_email.it)
Date: 10/07/03

  • Next message: Luigi Auriemma: "Medieval Total War <= 1.1 broadcast Connection expired" 
    Date: Tue, 7 Oct 2003 01:16:26 +0200
To: bugtraq@securityfocus.com

    ZH2003-3SP (security patch): multiple vulnerabilities in mod_gzip 1.3.x debug
    mode

    Released: 7 October 2003
    Name: mod_gzip
    Affected versions: all versions (debug mode)
    Issue: stack overflow, format string and insecure file creation
    Author: Astharot (at Zone-H.org)
    Vendor: http://sourceforge.net/projects/mod-gzip/

    Description
    **********
    Zone-H Security Team wrote a patch for the unresolved vulnerabilities found in
    the debug mode of mod_gzip. According to the informations found on mod_gzip
    website, mod_gzip "is an Internet Content Acceleration module for the popular
    Apache Web Server. It compresses the contents delivered to the client."

    Details
    **********
    Matthew Murphy (mattmurphy[at]kc.rr.com) discovered multiple vulnerabilities in
    the debug mode of mod_gzip. The first vulnerability is a stack overflow. It has
    been reported that by requesting a long filename, a buffer overflow occours in
    the logging mechanism. If it's possible overwrite the return address, it's
    possible to execute arbitrary code with the privilege of the webserver. The
    second vulnerability is a format string. A remote user can submit a specially
    crafted HTTP GET request to trigger a format string flaw in the use of the
    Apache logging mechanism. An attacker may be able to execute arbitrary code. The
    third and last vuolnerability is an insecure file creation. A local user can
    create a symbolic link from the temporary file name to a critical file. When
    mod_gzip is executed, the linked file will be overwritten. mod_gzip logs some
    debug events with root privileges, so a local user can potentially exploit this
    to gain root privileges on the system.

    Solution
    **********
    It's possible to download the patch here:
    http://www.zone-h.org/download/file=4954/.

    Download the patch, then in the source directory type:

    patch < mod_gzip.diff

    then recompile mod_gzip.

    Link to this advisory:
    http://www.zone-h.org/en/advisories/read/id=3225/

    Astharot 

    -- 
http://www.zone-h.org - astharot@zone-h.org
PGP Key: http://www.gife.org/astharot.asc
Linux User #292132
  • Next message: Luigi Auriemma: "Medieval Total War <= 1.1 broadcast Connection expired"

    Relevant Pages